Two networks behind an ASA5510

[ideasworking]

Hello,

I recently replaced a 501e PIX with an ASA5510. I did this so that a new network could be connected and managed. So here's a basic run down of what I would like to accomplish. There are three interfaces INSIDE 172.22.6.0 SCADA 10.10.10.0 and OUTSIDE 209.X.X.X I would like the INSIDE hosts to have access to 10.10.10.109 14000 however I don't want the SCADA hosts to be able to browse any other networks. After that I want to creat a VPN tunnel so that the supplier of our Scada system can have access from outside to the SCADA hosts. I looked at the DMZ solution but that requires a pool of addresses on the OUTSIDE interface and I don't have that many IP's.

Any suggestions?

TIA,
Lou

 

[Supergrrover]

When you set the security levels, lower levels cannot access higher levels without an ACL. So if SCADA is sec50 it will not be able to reach INSIDE (sec100.)

As to the rest of that, I am not clear on what you need to get done. Do you want access form OUTSIDE to 10.10.10.109:14000 and also have a VPN to SCADA?


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[ideasworking]

Hi Brent,

I have set the following security levels: OUTSIDE 0, SCADA 10, INSIDE 100. INSIDE hosts 172.22.6.X should be able to pull information from the SCADA host 10.10.10.109 eq 14000

Following your comment I created the following access list entries.

access-list 110 permit ip host 10.10.10.109 172.22.6.0 255.255.255.0

access-list 100 permit ip host 10.10.10.109 172.22.6.0 255.255.255.0

access list 100 has no nat. I'm guessing I need some sort of route... but I'm not sure what to do. What are your thoughts?

TIA,
Lou

 

[Supergrrover]

OK,
Goal: 14000 traffic from 172.22.6.0/24 is allowed to 10.10.10.109 without NAT.

Since they are both directly connected networks, the routes should already be there. Also, if you don't explicitly add a NAT statement for that interface pair, that won't happen either. The no NAT ACL's are really for connecting to remote networks via VPN so it goes out the outside interface and doesn't get translated to the public IP.

All traffic from a higher sec lvl is allowed to a lower lvl. The ASA creates temporary holes to allow return traffic to come back through that matches it's state table. So you should be set to go.

Now - If you want to restrict it to only that traffic to only that IP, you will need an ACL on the inside interface that says as much but still allows all other traffic to the outside.

Give it a test without adding ACLs to interfaces to make sure it goes, then add the restrictions.

Brent
Systems Engineer / Consultant
CCNP, CCSP

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[ideasworking]

Hi Brent,

I removed the ACL's and tried to ping a couple devices on the 10.10.10.X network. No luck what so ever. Could the default route be the problem?

route OUTSIDE 0.0.0.0 0.0.0.0 207.555.555.555 1

Thanks,
Lou

 

[Supergrrover]

If you do a show ip route, you will see the routing table. Anything with a C is a directly connected network. These should be self populating. If you have windows, download portqry v2 from M$ and try to test it that way. There is more setup involved for allowing icmp messages.

You could also try adding a NAT/global pair for translating from inside to scada and see the results.


Brent
Systems Engineer / Consultant
CCNP, CCSP